Spam problem on a new installation

[SamTzu]

I just installed a new Zimbra (.18) for testing purposes on a branch office internal LAN network behind a firewall. I then opened a hole on the firewall on port 25 to test the installation. It worked. Today I find that lots of spam has been sent from that server (from yahoo.com.tw address mostly) even though It's only a day old and there has not been a mail server at that IP address previously. How is that possible? What can I do to block the hole?

The mail server has the same name in DNS and host file.
The mail server Internal network address is 10.10.x.y
The mail server External network address is 217.25.x.y
Firewall has NIC's & addresses on both networks.



PS. The Joomla based PHP mailing component that I tested uses SMTP authentication with username and password.
How can I see if the spam has come that way?

[phoenix]

How do you determine that spam has been sent from that server? Are there any local Windows PCs on that LAN? Have you checked the logs to see who has connected o that server?

Opening port 25 in the firewall will not let anyone use that as a relay, by default Zimbra is not an open relay unless you've modified it to be one. Use a web 'open relay' checking service to see if your server is open.

[SamTzu]

There was over a 1500 mails in deferred que. (Mostly from that yahoo.com.tw address.)
(Message count actually showed 250 k but I'm not sure that's accurate.)
(Spam count for the same time shows 8.0 k.)

It's a Linux only network.

Still debugging and checking the logs.

PS. How do you clear the mail que in Zimbra from command line?

[uxbod]

Code:

su - zimbra
postsuper -d ALL

That will delete everything in the mail queue. So onto why it may have allowed SPAMs to be sent. You can check whether you are a open relay using Mail relay testing. If it says its open then I would imagine it is down to the networks you have specified for Postfix so please post the following

Code:

su - zimbra
zmprov gs `zmhostname` zimbraMtaMyNetworks

[SamTzu]

Here is sample from the log files...

Jul 17 09:32:43 zimbra-list1 amavis[6437]: (06437-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20090717T093243-06437: <Brian_Maria652@ms9.hinet.net> -> <graces89@yahoo.com.tw>,<gracesaly@yahoo.com.tw>,< gracesasa2000@yahoo.com.tw>,<graceschoolther@yahoo .com.tw>,<gracescop@yahoo.com.tw>,<gracesctsao@yah oo.com.tw>,<gracescully@yahoo.com.tw>,<graceself@y ahoo.com.tw>,<gracesgw1216@yahoo.com.tw>,<gracesh2 002@yahoo.com.tw>,<gracesh888@yahoo.com.tw>,<grace shan63@yahoo.com.tw>,<graceshaw@yahoo.com.tw>,<gra ceshe1101@yahoo.com.tw>,<graceshea0317@yahoo.com.t w>,<graceshen_0706@yahoo.com.tw> SIZE=952 BODY=8BITMIME Received: from zimbra-list1.our-domain.com ([127.0.0.1]) by localhost (zimbra-list1.our-domain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Fri, 17 Jul 2009 09:32:43 +0300 (EEST)
Jul 17 09:32:43 zimbra-list1 amavis[6437]: (06437-01) Checking: xNLJU7+LUmOY [10.10.11.1] <Brian_Maria652@ms9.hinet.net> -> <graces89@yahoo.com.tw>,<gracesaly@yahoo.com.tw>,< gracesasa2000@yahoo.com.tw>,<graceschoolther@yahoo .com.tw>,<gracescop@yahoo.com.tw>,<gracesctsao@yah oo.com.tw>,<gracescully@yahoo.com.tw>,<graceself@y ahoo.com.tw>,<gracesgw1216@yahoo.com.tw>,<gracesh2 002@yahoo.com.tw>,<gracesh888@yahoo.com.tw>,<grace shan63@yahoo.com.tw>,<graceshaw@yahoo.com.tw>,<gra ceshe1101@yahoo.com.tw>,<graceshea0317@yahoo.com.t w>,<graceshen_0706@yahoo.com.tw>
Jul 17 09:32:46 zimbra-list1 amavis[6437]: (06437-01) Blocked SPAM, LOCAL [10.10.11.1] [10.10.11.1] <Brian_Maria652@ms9.hinet.net> -> <graces89@yahoo.com.tw>,<gracesaly@yahoo.com.tw>,< gracesasa2000@yahoo.com.tw>,<graceschoolther@yahoo .com.tw>,<gracescop@yahoo.com.tw>,<gracesctsao@yah oo.com.tw>,<gracescully@yahoo.com.tw>,<graceself@y ahoo.com.tw>,<gracesgw1216@yahoo.com.tw>,<gracesh2 002@yahoo.com.tw>,<gracesh888@yahoo.com.tw>,<grace shan63@yahoo.com.tw>,<graceshaw@yahoo.com.tw>,<gra ceshe1101@yahoo.com.tw>,<graceshea0317@yahoo.com.t w>,<graceshen_0706@yahoo.com.tw>, Message-ID: <e5920591a7d6e3937648f4290273ebf4@localhost.locald omain>, mail_id: xNLJU7+LUmOY, Hits: 18.773, size: 952, 3675 ms
Jul 17 09:32:46 zimbra-list1 amavis[6437]: (06437-01) extra modules loaded: /opt/zimbra/zimbramon/lib/i486-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/zimbramon/lib/i486-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, IO/Socket/SSL.pm, Net/LDAP/Extension.pm, Net/SSLeay.pm

[SamTzu]

Looks normal.

root@zimbra-list1:/var/log# su zimbra
zimbra@zimbra-list1:/var/log$ zmprov gs `zmhostname` zimbraMtaMyNetworks
# name zimbra-list1.our-domain.com
zimbraMtaMyNetworks: 127.0.0.0/8 10.10.11.0/24

[uxbod]

Well check if your server is a open relay and if not it maybe that a account has been compromised so also check /opt/zimbra/log/audit.log for any erroneous account activity.

[SamTzu]

I actually tried that...

su - zimbra
postsuper -d ALL

postsuper: fatal: use of this command is reserved for the superuser

[uxbod]

Oops As root

Code:

/opt/zimbra/postfix/sbin/postsuper -c /opt/zimbra/postfix/conf -d ALL

[SamTzu]

Much better, thx.